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Method and Apparatus For Solving Sequential Constraints 

FIELD OF THE INVENTION 

The present invention relates generally to the solution of sets of 
5 constraints, and more particularly to the solution of sets of constraints containing 
at least one sequential constraint, in connection with design verification. 



BACKGROUND OF THE INVENTION 

To tackle the increasing complexity of integrated digital electronic circuits, 
10 designers need faster and more accurate methods for verifying the functionality 
and timing of such circuits, particularly in light of the need for ever-shrinking 
product development times. 

The complexity of designing such circuits is often handled by expressing 
the design in a high-level hardware description language (HLHDL). The HLHDL 
15 description is then converted into a physical circuit specification through 

processes, well known to those of ordinary skill in the art as "synthesis," involving 
translation and optimization. Examples of an HLHDL are: 

1. IEEE Standard 1364-2001, for the Verilog Hardware Description 

Language. The Institute of Electrical and Electronics Engineers, 
20 Inc., 345 East 47 th Street, New York, NY 10017-2394, USA. 

2. IEEE Standard 1076-1993, for the VHDL Hardware Description 

Language. ISBN: 1559373768, August 1994. The Institute of 
Electrical and Electronics Engineers, Inc., 345 East 47 th Street, 
New York, NY 10017-2394, USA. 
25 Once the HLHDL design has been created, it needs to be verified, and 

such HLHDL design can be referred to as the design under test or the design 
under verification (referred to herein as a "DUT/DUV"). 

An HLHDL description can be verified by simulation at the HLHDL level. 
In another approach, the HLHDL can be translated into a gate-level description 
30 that is then simulated, proven by formal methods or is subject to a hybrid 
combination of simulation and formal approaches. 
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Verification of an HLHDL description at relatively high-levels of design 
abstraction is important since detecting a circuit problem early prevents the 
expenditure of valuable designer time on achieving an efficient physical 
implementation for a design which, at a higher level, will not achieve its intended 
purpose. In addition, simulation of the DUT/DUV can be accomplished much 
more quickly at higher levels of representation than after the DUT/DUVhas been 
translated into a lower-level, more circuit-oriented implementation. For the formal 
approach, combinatorial "explosion" is a major problem and therefore applying 
such methods to higher abstraction levels tends to allow them to address a larger 
portion of the DUT/DUV. 

The verification of HLHDL descriptions has been aided by Hardware 
Verification Languages (or HVLs). An HVL can be implemented and supported 
by a test-bench automation (TBA) tool. Among other goals, HVLs can provide 
programming constructs and capabilities more closely matched to the task of 
verification of a DUT/DUV than are, for example, the HLHDL of the DUT/DUV 
itself or software-oriented programming languages (such as C or C++). 

HVLs can include a programming mechanism by which to specify 
declarative constraints on a set of variables. Such declarative constraints can be 
easier to specify than a procedural approach. Uses of declarative constraints 
can include the following: 

i) declaration of "assertions" that specify properties the DUT/DUV 
must exhibit in order to be regarded as operating correctly; and 

ii) declaration of "assumptions" that specify properties the 
environment of the DUT/DUV must exhibit. 

A DUT/DUV is typically designed such that correct operation is only 
assured if its environment satisfies a certain set of assumptions that have been 
input to the verification system as a model of the environment. 

In the context of simulation-based verification, an environment that 
operates according to a set of assumption constraints can be achieved by solving 
the assumption constraints during the simulation process. In this case, terms of 
the assumption constraints whose values can be changed (i.e., are under the 
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control of the environment), to find a solution to the environment's assumption 
constraints during a particular simulation cycle, are referred to as random 
variables (or RV's). Terms of the assumption constraints not under control of the 
environment (e.g., driven by the DUT/DUV) are referred to as state variables (or 
5 SVs). 

In the context of formal verification, the objective is to exhaustively prove, 
provided the assumption constraints are not violated, that assertions about the 
DUT/DUV cannot be violated. 

It is known how to automatically implement a verification environment, for 
10 testing a DUT/DUV, from declarative combinational assumption constraints (or 
simply "combinational assumption constraints"). 

However, combinational assumption constraints cannot specify a time- 
ordered behavior for an environment since combinational constraints specify 
assignment of values solely as a functional (or memory less) response to a 
15 current state of the various types of inputs that may be applied to it. 

It is also known how to automatically implement declarative combinational 
or sequential assertion constraints. For verification by either formal methods or 
simulation, such combinational or sequential constraints can be converted, by 
logic synthesis tools, into an additional circuit, referred to as a "monitor," that is 
20 connected to the DUT/DUV and that asserts an "assertion error" output if an 
assertion is violated. 

It would be desirable to be able to automatically implement a verification 
environment, for testing a DUT/DUV, from an input set of assumptions that 
includes declarative sequential assumption constraints (or simply "sequential 
25 assumption constraints"). 

SUMMARY OF THE INVENTION 

1. Summary of Conversion of Sequential Constraints 
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The present invention comprises techniques for automatically converting a 
set of assumption constraints, that includes sequential assumption constraints, 
into a representation of an environment that tests a DUT/DUV. 

Such sequential assumption constraints can be specified in a property 
language. While the process description herein is focused on the conversion of 
the sequential constraints, of an input set of assumption constraints that model 
an environment, it should be understood that the input set of assumption 
constraints can include combinational assumption constraints. 

Below is described a process for automatic conversion of sequential 
assumption constraints, into a representation of an environment that tests a 
DUT/DUV, in terms of a first step and a second step. 

1.1 Summary of First Step 

In a first step, the sequential assumption constraints are converted, with 
the use of logic synthesis tools, into a gate-level representation that could serve 
as a monitor of the environment. This gate-level representation for the 
sequential assumption constraints (referred to herein as the "gate-level 
assumption representation") can include the following: 

i) register pipelines (referred to herein as "assumption pipelines") that 
model the time-dependent properties of the sequential constraints to be 
converted; and 

ii) combinational gates (referred to herein as "assumption gates") that 
drive an output (referred to herein as an "assumption error output") indicating that 
an error in the assumptions has occurred. 

Combinational assumption constraints, if included within an input set of 
assumption constraints for modeling an environment, just require the assumption 
gates aspect of the gate-level assumption representation. 

Two logic synthesis tools can be used to produce the gate-level 
assumption representation: 

i) A "sequential-constraints-to-HLDL compiler," that converts 
a language with sequential declarative constraints into a monitor in 
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an HLHDL. When such compiler encounters a sequential delay 
operator, it implements the sequential delay, in its output HLHDL, 
by producing a pipeline structure. 

ii) An "HLDL-to-gate-level compiler," that converts an HLHDL 
5 into a gate level representation. 

Once the DUT/DUV, assumptions and assertions are expressed in a 
common gate-level representation, such gate-level representations can be 
combined, for either simulation or formal methods, by a Gate-Level Merger 
process into a combined gate-level representation. 
10 While the present description focuses upon all of the DUT/DUV, 

assumptions and assertions being converted into a gate-level representation, 
alternative approaches can be used. For example, the DUT/DUV can be 
simulated at the HLHDL (also referred to as RTL) level. 

Furthermore, while the present description focuses upon a gate-level 
1 5 representation where the gates are single-bit operators, gate-level 

representations, where the gates comprise word-level operators, can be used. 

1.2 Summary of Second Step 

Upon completion of the first step, the conversion process can continue in 
one of two ways depending upon whether verification by formal methods, or by 

20 simulation, is desired. 

For formal verification, a single "formal-verification-output" is constructed, 
that combines the assumption-error-detecting gate-level assumption 
representation produced in the first step with assertion-monitoring circuitry for the 
DUT/DUV. The entire combination, of DUT/DUV, assertion monitor, assumption 

25 monitor (environment) and circuitry that produces the formal-verification-output, 
is input to a formal verifier. Depending upon the construction of the circuitry that 
produces the formal-verification-output, the goal of the verifier is either to prove 
the formal-verification-output can never be Logic One (also referred to as a "true" 
value), or can never be Logic Zero (also referred to as a "false" value). 
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If it is desired to produce a formal-verification-output where the goal is to 
prove that it can never be Logic One, such formal-verification-output can be 
constructed such that it is Logic One if and only if an assertion is violated by the 
DUT/DUV (e.g., "assertion error" becomes Logic One) and it is not the case that 
5 the assumption constraints have ever been violated (e.g., "assumption error" is 
always Logic Zero). Assuring that assumption constraints have never been 
violated can be modeled by feeding assumption error through a recirculating 
latch circuit before it is ANDed with assertion error. 

A variety of formal verifiers can be used. 
10 If the gate-level assumption representation of the first step is to be used to 

generate test data for driving the DUT/DUV, in a simulation verification approach, 
the second step is to convert such gate-level assumption representation into a 
hybrid assumption representation that comprises: 

i) the assumption pipelines as simulated circuit elements; 

15 and 

ii) combinational constraints, referred to herein as 
"equivalent combinational assumption constraints," whose solution 
by a conventional combinational constraint solver produces an 
output behavior for the environment that is in accord with the 

20 sequential assumption constraints. 

During simulation, the assumption pipelines are simulated such that they 

hold, at any point in the simulation, state information necessary for a solution of 

the equivalent combinational assumption constraints to be in accord with the 

sequential assumption constraints. Also, during simulation, the equivalent 
25 combinational assumption constraints are solved and such solutions provide 

data, for driving inputs to the DUT/DUV, that is in accordance with the specified 

sequential assumption constraints. 

Combinational assumption constraints, if included within an input set of 

assumption constraints for modeling an environment, can be implemented with 
30 just the equivalent combinational assumption constraints aspect of the hybrid 

assumption representation. 
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The equivalent combinational assumption constraints are formed from a 
set of gates, referred to herein as the "augmented assumption gates." The 
augmented assumption gates can be extracted by beginning at the assumption 
error output and finding a transitive fanin, where such fanin stops under either of 
5 two conditions: reaching a register output, reaching an input to the DUT/DUV. 
The transitive fanin does not stop upon reaching an output of the DUT/DUV and, 
therefore, such fanin continues until a register output, within the DUT/DUV, is 
reached. It is the fact that the transitive fanin does not stop at a DUT/DUV output 
that can cause the augmented assumption gates to contain additional gates in 

10 comparison to the assumption gates. 

The augmented assumption gates can be translated into equivalent 
combinational assumption constraints, expressed in a symbolic form, as follows: 
each gate's functionality is replaced by an appropriate logical operator; an input 
to a gate, from an output of a register within the DUT/DUV, is replaced by a state 

1 5 variable whose value is determined by the value of its corresponding register 
output; and an input to a gate, connected to an input of the DUT/DUV, is 
converted into a random variable. 

Another approach can be to translate the augmented assumption gates 
into a BDD by any one of several known methods. As with translation to 

20 symbolic form, an input to the BDD is a state variable where an input to a gate is 
connected to an output of a register within the DUT/DUV and an input to the BDD 
is an RV where an input to a gate is connected to an input of the DUT/DUV. 
Such BDD can then be input to a BDD constraint solver. If such BDD constraint 
solver seeks solutions where all of its BDD constraints are true, the BDD result of 

25 translating the augmented assumption gates may be input to the constraint 
solver in complemented form. 

Solving such equivalent combinational assumption constraints, in the 
course of a simulation, causes values to be assigned to their random variables 
that conform with the time-sequence-dependent rules of the input sequential 

30 assumption constraints. 

2. Summary of Conv rsion With Deadend Avoidance 
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For certain sets of sequential assumption constraints, the equivalent 
combinational assumption constraints determined for them, as described above, 
are not sufficient to insure the random variables are always assigned with values 
that conform with the time-sequence-dependent nature of the sequential 
5 assumption constraints. 

A state of the environment, in which at least one of the input assumption 
constraints that model the environment is violated, is referred to herein as a 
"deadend" state. 

Presented herein is a method for identifying deadend states and for 
10 augmenting the equivalent combinational assumption constraint set such that 
transitions into deadend states are avoided. In the following presentation, the 
same symbol is used to denote both a set and its Boolean characteristic function. 

2.1 Summary of Fail Function 

A "fail function" F(s,x) is determined, from the assumption gates, where s 
15 is a state of the assumption pipeline and x is the set of all inputs to the gate-level 
assumption representation. F(s,x) returns a Logic One if and only if the input s 
and x would produce an invalid transition. 

2.2 Summary of Deadend States Set 

The set of deadend states, D 0 , can be expressed in terms of F(s,x) as 
20 follows: 

D 0 ={s| V^F(s,x)=l} 

Thus, deadend states are those states that, for all possible input 
25 combinations, have no legal transitions. Since Jc is universally quantified out of 
F(s,x) , D 0 is solely in terms of s . Therefore, the corresponding Boolean 
characteristic function D 0 (s) , of the set D 0 , returns Logic One only when given a 
deadend state as an argument. 
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2.3 Summary of Augmented Deadend States S t 

This section discusses production of an augmented deadend states set. If 
the DUT/DUV has a signal that drives the environment, and is therefore not 
under the environment's control, it may be desirable to determine a strongly 
5 augmented deadend states set. Determination of such strongly augmented 
deadend states set is discussed further below. Regardless of whether an 
augmented or strongly augmented deadend states set is determined, the 
remaining steps for deadend state avoidance are the same. 

Augmenting D 0 means adding to it all those states that, while having at 
10 least one valid transition, lead inexorably to a deadend state. This set, referred 
to as D(s) , can be determined as a stepwise, backward, fixed-point 
determination. The term "fixed-point determination," as used herein, is also 
known as a "fixed-point computation" or "fixpoint computation." In mathematical 
set notation, the fixed-point determination can be expressed as follows: 

15 

D, +1 (s)=D,(s)u{s | V^ § ,N(s,x,s>=l&&(D,(s)|^ g ,) = l} 

Where N(s,x,s ! ) is a characteristic function, of a state transition relation, 
that is defined to return Logic One when, for a particular assumption 
20 environment, a present state of s and an input of x leads to a next state of s' . 
N(s,x,f ') can be formed as follows from a particular gate-level 
assumption representation. For each register bit of §' , the logic gate network of 
its transitive fanin, terminating at a register bit-line of s or an input bit-line of x , is 
determined. The logic network is converted into an equivalent Boolean logic 
25 expression that is then equated with the register bit of V . For all bits in s' , the 
equations are ANDed together to form N^x,.?') . 
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The above formula can be used with D A (s) initially set to D 0 , and is 
iteratively applied as long as the value for a D A+1 (s) is not equal to the value for 

aD,(s). 

2.4 Summary of Reachable States Set 

5 While the above procedure results in a set D(s ) containing all states that 

are either deadend states, or that lead inevitably to deadend states, some of the 
states in D(s) may not be reachable from the initial states of the environment. 
With R 0 (s) defined as the set of initial states of the environment, we define a set 
R A+1 (s) to be the set of all states reachable in one transition from R^(s) and 
10 R(s)to be the set of all states reachable from R 0 (s) . R 0 (s) is defined as the set 

of initial states of the environment monitor, that can be, for example, the state in 
which all registers of the monitor contain zero. 

R(s) can be determined as a stepwise, forward, fixed-point determination. 

In mathematical set notation, this fixed-point determination can be expressed as 
15 follows: 

R a+1 (s)=R a (s)u{§|(3^3 § N(s,x,j')==1&&R,(§) = 1)U § } 

As can be seen above, the right-hand-side expression to the union 
20 operator provides a state s' for extending R k (s) if there exists an input x and a 

state § , where s is a member of R^(s) , such that s , x and s' are a valid 
transition. 

The above formula can be used with R A (s) initially set to R 0 (s), and is 
iteratively applied as long as the value for a R* +1 (s) is not equal to the value for 

25 aR t (s). 

2.5 Summary of Reachable Deadend States Set 
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The set of reachable deadend states, referred to as RD(s) , is the 
intersection of the sets R(s) and D(s). 

2.6 Summary of Fail Function Augmented For Deadend Avoidance 

An augmented fail function "F" with deadend avoidance, referred to as F da , 
5 can be determined from the above determined relation N(s,x,s f ) and set 

RD(s) . Determination of F da can be described as follows: 

F da (s 5 x)=3 §f {N(s,x,^)=:=l &&(RD(s)|^ § ,)=l} 

10 F da (s,x) contains the set of present state and input pairs such that there 

exists a next state, but the next state is either a deadend state or leads 
inexorably to a deadend state. 

2.7 Summary of Augmented Equivalent Combinational Assumption 
Constraints 

1 5 F da (s,x) can be used to form the following constraint, that augments the 

equivalent combinational assumption constraints: 

F da (s,x) ==0 

20 Depending upon the constraint solver, an alternate format, for the 

constraint that augments the equivalent combinational assumption constraints, is 
as follows. The objective, with the following format, is to find solutions that make 
the expression return a Logic One: 

!!**(§, X) 

25 3. Summary of Conversion With Strong Deadend Avoidance 

The above method for deadend avoidance is sufficient if the environment 
receives no inputs from the DUT/DUV. However, if the environment is subject to 
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variables not under its control, stronger deadend avoidance constraints may be 
needed. 

In this case, the deadend avoidance method of above can have its 
augmented deadend states set determined as follows: 

D, +1 (s)=D,(s)u 

< § I 3 xout V xin 3 s' N ^ XOut ' xin ' f > =1&& ( D ^ § )ls^) = l} 

Where N(s, xout, xin, S') differs from N(s,x,f") by splitting the x into two 
parts: "xout," which are outputs of the DUT/DUV; and "xin" which are inputs to the 
DUT/DUV. The distinction is significant since the "xin" signals are under direct 
control of the environment while the "xout" signals are not. The above equation 
is stating that even if there is only one combination of "xout" signals that would 
cause a transition to a state already a member of a D^(s) , the s should be 
included in D t+1 (s). 

BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings, that are incorporated in and constitute a part 
of this specification, illustrate several embodiments of the invention and, together 
with the description, serve to explain the principles of the invention: 

Figure 1 depicts a first example verification system, comprising a 
combination of a DUT/DUV and environment, to illustrate production of a 
gate-level assumption representation; 

Figure 2 depicts an example gate-level assumption representation for a 
monitor of the environment of Figure 1 ; 

Figure 3 depicts the first example verification system of Figure 1 , to which 
has been added the environment monitor of Figure 2 along with an assertion 
monitor for the DUT/DUV; 
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Figure 4 depicts the combination of the assertion monitor and assumption 
monitor of Figure 3 for purposes of formal verification; 

Figure 5 depicts a second example verification system, comprising a 
combination of a DUT/DUV and environment, to illustrate deadend state 
5 avoidance; 

Figure 6 depicts the second example verification system of Figure 5, to 
which has been added an example gate-level assumption representation for a 
monitor of the environment of Figure 5; 

Figures 7A-7B depict processes for conversion of sequential assumption 
1 0 constraints for purposes of DUT/DUV verification; 

Figure 8 depicts an overall verification process that includes the 
conversion of sequential assumption constraints for purposes of DUT/DUV 
verification; and 

Figure 9 shows a computing hardware environment within which to 
1 5 operate the present invention. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

Reference will now be made in detail to preferred embodiments of the 
invention, examples of which are illustrated in the accompanying drawings. 

20 Wherever possible, the same reference numbers will be used throughout the 
drawings to refer to the same or like parts. 

This specification contains pseudo-code to illustrate several embodiments 
of the invention and to explain its principles. The pseudo-code is loosely based 
upon the C and C++ programming languages. The C and C++ programming 

25 languages are described in such texts as "The C Programming Language", by B. 
W. Kernighan and D. M. Ritchie, Prentice Hall, Inc., 1988, ISBN 0-13-110362-8 
(paperback), 0-13-110370-9 (hardback) and "The C++ Programming Language," 
by Bjarne Stroustrup, Addison-Wesley Pub. Co., 3rd edition, July 1997, ISBN 0- 
2018-8954-4, which are herein incorporated by reference. 

30 
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1. Conversion Of Sequential Constraints 

30 The present invention comprises techniques for automatically converting 

sequential assumption constraints into a representation of an environment that 
tests a DUT/DUV. While the process description herein is focused on the 
conversion of the sequential constraints, of an input set of assumption 
constraints that model an environment, it should be understood that the input set 
35 of assumption constraints can include combinational assumption constraints. 
Sequential assumption constraints can be specified in a property 
language, such as: 

i) Open Vera Assertion language (or OVA), Synopsys, Inc., 
Mountain View, CA, USA; 
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ii) PSL (see Y. Abarbanel, I. Beer, L. Gluhovsky, S. Keidar, Y. 
Wolfsthal. "FoCs - Automatic generation of simulation checkers from 
formal specifications," In Proceedings of CAV, 2000); and 

iii) SVA (see SystemVerilog 3.1, Accellera's Extensions to Verilog, 
5 June 2003). 

The present invention operates as follows and will be explicated with the 
assistance of a first example verification system as shown in Figure 1 . 

Figure 1 depicts a block called "PCI Slave" (which is, for purposes of this 
example, the DUT/DUV) and another block called "PCI master" (which is, for 
1 0 purposes of this example, the environment). 

An informal, sequential assumption constraint oriented, description of the 
operation of the environment of Figure 1 is as follows: if the DUT/DUV asserts 
the "req" line of the environment on one clock cycle, and the DUT/DUV asserts 
the "valid" line of environment one clock cycle later, then, two clock cycles after 
1 5 "req" was initially asserted, the environment should assert "grant" line. 

Such a sequential assumption constraint can be expressed in OVA as 
follows: 



event e1: req==1 #1 valid==1; 
20 event e2: if (ended e1) then #1 (grant==1); 

assume a: check(e2); 



Sequential delay can be represented in OVA by the "#" sequential delay 
operator, and such operator is used in the above OVA example. An OVA event 
25 detects sequential conditions, and the ended operator detects the occurrence of 
an event. In the above OVA example, the event e2 specifies the sequential 
assumption constraint. 

Below is described a process for automatic conversion of sequential 
assumption constraints, into a representation of an environment that tests a 
30 DUT/DUV, in terms of a first step and a second step. Such first step and second 
step are also depicted in Figure 7A. 
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An overall view of the preparation of a circuit model for the verification 
process, that includes processing of the DUT/DUV, as well as of the assertions, 
is shown in Figure 8. Figure 8 comprises boxes representing data 
representations produced and/or utilized at various steps in a process, with such 
5 boxes connected by arrows representing processes that utilize and produce data 
representations. Figure 8 is divided into upper and lower halves by a dashed line 
850. The portion above dashed line 850 (whose components are numbered in 
the range 800 to 824) corresponds to the first step, while the portion below the 
dashed line 850 (whose components are numbered in the range 830 to 840) 
1 0 corresponds to the second step. 

1.1 First Step 

In a first step (see step 700 of Figure 7A), the sequential assumption 
constraints are converted, with the use of logic synthesis tools, into a gate-level 
representation that could serve as a monitor of the environment. This gate-level 
15 representation for the sequential assumption constraints (referred to herein as 
the "gate-level assumption representation") can include the following: 

i) register pipelines (referred to herein as "assumption pipelines") that 
model the time-dependent properties of the sequential constraints to be 
converted; and 

20 ii) combinational gates (referred to herein as "assumption gates") that 

drive an output (referred to herein as an "assumption error output") indicating that 
an error in the assumptions has occurred. The assumption gates can be 
dependent on any combination of the following: state bits of the assumption 
pipelines, inputs to the DUT/DUV, outputs of the DUT/DUV, inputs to the 

25 environment, outputs of the environment. 

The assumption gates can be identified by beginning at the assumption 
error output and finding a transitive fanin, where such fanin stops under any of 
three conditions: reaching a register output of the assumption pipelines, reaching 
an input to the DUT/DUV, or reaching an output of the DUT/DUV. 
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Combinational assumption constraints, if included within an input set of 
assumption constraints for modeling an environment, just require the assumption 
gates aspect of the gate-level assumption representation. 

In the case of constraints written in OVA, two logic synthesis tools can be 
used to produce the gate-level assumption representation: OVA Compiler of 
Synopsys, Inc. and Design Compiler of Synopsys, Inc. More generally, two logic 
synthesis tools for performing the first step are: 

i) A "sequential-constraints-to-HLDL compiler," that converts 
a language with sequential declarative constraints into a monitor in 
a High-Level Hardware Design Language (HLHDL), such as Verilog 
or VHDL. When such compiler encounters a sequential delay 
operator, it implements the sequential delay, in its output HLHDL, 
by producing a pipeline structure. 

ii) An "HLDL-to-gate-level compiler," that converts an HLHDL 
into a gate level representation. The compiler utilized need not 
include some or all of the optimization procedures, typically 
associated with HLHDL to gate-level compilers, since sub-optimal 
logic designs, with respect to a circuit implementation, can still be 
suitable for the automatic conversion of sequential constraints for 
purposes of design verification. An advantage of not utilizing such 
optimization procedures, when an HLDL-to-gate-level compiler is 
utilized for automatic conversion of sequential constraints, is a 
greater speed of conversion. 

In the case of OVA constraints, they can be converted, by OVA Compiler, 
into Verilog or VHDL. For the OVA statement, of the first example verification 
system, an example conversion into Verilog is as follows: 
assign err <= valid_pre_req && Igrant; 

always @(posedge elk or posedge reset) begin 

/* the non-blocking assignment operators, "<=," of a 
begin-end block execute simultaneously */ 
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If(reset) begin 

pre_req <= 0; 
valid_pre_req <= 0; 

end 

5 

else begin 

pre_req <= req; /* use pre_req as register to record 

passage of a cycle */ 
valid_pre_req <= pre_req && valid; 

10 end 
end 



The HLHDL produced by OVA Compiler can be converted into a gate-level 
assumption representation by Design Compiler, or by a version of Design 

1 5 Compiler from which some or all of its optimization procedures, for a circuit 
implementation, have been removed. 

For the just-above-listed example Verilog, an example gate-level 
assumption representation is shown in Figure 2. Figure 3 depicts such gate-level 
assumption representation of Figure 2 in dashed outline, and connected to the 

20 first example verification system of Figure 1 as it would be if such gate-level 
assumption representation were being used as an assertion monitor of the 
environment. Figure 3 also adds, to the first example verification system, 
assertion monitoring circuitry for the DUT/DUV. 

Figure 8 depicts the above-described first step in the context of an overall 

25 verification system. Conversion of a property language description of 

assumptions into a gate-level representation is depicted by those parts of the 
figure labeled 810 to 814. A similar process, represented in Figure 8 by those 
parts of the diagram labeled 820 to 824, can be used to convert property 
language description of assertions into a gate-level representation. For the 

30 DUT/DUV, Figure 8 depicts (by those parts of the diagram labeled 802 to 804) 
conversion of an HLHDL description (802) into a gate-level representation (804) 
by an HLDL-to-gate-level compiler process (803). Figure 8 refers to HLHDL 
representations (in boxes 802, 812 and 822) as register-transfer level (or RTL) 
representations. Once the DUT/DUV, assumptions and assertions are 

35 expressed in a common gate-level representation (indicated by boxes 804, 814 
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and 824), such gate-level representations can be combined, for either simulation 
or formal methods, by a Gate-Level Merger process (800) into a combined 
gate-level representation (801). 

While Figure 8 depicts all of the DUT/DUV, assumptions and assertions 
5 being converted into a gate-level representation, alternative approaches can be 
used. For example, the DUT/DUV can be simulated at the HLHDL (also referred 
to as RTL) level. 

Furthermore, while the present description focuses upon a gate-level 
representation where the gates are single-bit operators, gate-level 
10 representations, where the gates comprise word-level operators, can be used. 

1.2 Second Step 

Upon completion of the first step, the conversion process can continue in 
one of two ways (see decision point 701 of Figure 7A), depending upon whether 
verification by formal methods, or by simulation, is desired. 

15 1.2.1 Formal Verification 

For formal verification (see second step 702 of Figure 7A), a single 

"formal-verification-output" is constructed, that combines the assumption-error- 
detecting gate-level assumption representation produced in the first step with 
assertion-monitoring circuitry for the DUT/DUV. The entire combination, of 

20 DUT/DUV, assertion monitor, assumption monitor (environment) and circuitry 
that produces the formal-verification-output, is input to a formal verifier. 
Depending upon the construction of the circuitry that produces the formal- 
verification-output, the goal of the verifier is either to prove the formal-verification- 
output can never be Logic One (also referred to as a "true" value), or can never 

25 be Logic Zero (also referred to as a "false" value). 

If it is desired to produce a formal-verification-output where the goal is to 
prove that it can never be Logic One, such formal-verification-output can be 
constructed such that it is Logic One if and only if an assertion is violated by the 
DUT/DUV (e.g., "assertion error" becomes Logic One) and it is not the case that 

30 the assumption constraints have ever been violated (e.g., "assumption error" is 
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always Logic Zero). Assuring that assumption constraints have never been 
violated can be modeled by feeding assumption error through a recirculating 
latch circuit before it is ANDed with assertion error. 

An example gate-level circuit, that specifies a formal-verification-output 
5 output called "final error," is shown in Figure 4. A design can be verified by 
proving that "final error" of Figure 4 can never be Logic One. As can be seen, 
"assumption error" is connected to a recirculating latch configuration. 

As can also be seen, "final error" is an AND of the "assertion error" output 
and the NOT of the recirculating latch output. If the formal verifier can prove that 
1 0 an "assertion error" can occur, while never violating an assumption constraint, 
then the DUT/DUV designer needs to be notified by asserting the "final error" 
output. 

A variety of formal verifiers can be used. An example suitable formal 
verifier is presented in the following paper: "Formal Property Verification by 

15 Abstraction Refinement with Formal, Simulation and Hybrid Engine," by D. Wang, 
P-H. Ho, J. Long, J. Kukula, Y. Zhu, T. Ma and R. Damiano, Proceedings of the 
Design Automation Conference, June 18-22, 2001, Las Vegas, Nevada, USA, 
pages 35-40. Formal verifiers, also referred to as symbolic model checkers, are 
also provided by the following companies: Real Intent, Inc., Santa Clara, CA; 

20 Jasper Design Automation, Inc., Mountain View, CA; and International Business 
Machines Corporation, Armonk, NY, with its "RuleBase Formal Verification Tool." 

In Figure 8, such second step for formal verification is depicted by an 
assertion/assumption combiner process (840) and the resulting gate-level 
representation for formal verifier (841 ) that contains a single 

25 formal-verification-output. 

1 .2.2 Simulation Verification 

If the gate-level assumption representation of the first step is to be used to 
generate test data for driving the DUT/DUV, in a simulation verification approach, 
the second step (see second step 703 of Figure 7A) is to convert such gate-level 
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assumption representation into a hybrid assumption representation that 
comprises: 

i) the assumption pipelines as simulated circuit elements; 

and 

5 ii) combinational constraints, referred to herein as 

"equivalent combinational assumption constraints," whose solution 
by a conventional combinational constraint solver produces an 
output behavior for the environment that is in accord with the 
sequential assumption constraints. 
10 During simulation, the assumption pipelines are simulated such that they 

hold, at any point in the simulation, state information necessary for a solution of 
the equivalent combinational assumption constraints to be in accord with the 
sequential assumption constraints. Also, during simulation, the equivalent 
combinational assumption constraints are solved and such solutions provide 
15 data, for driving inputs to the DUT/DUV, that is in accordance with the specified 
sequential assumption constraints. 

Combinational assumption constraints, if included within an input set of 
assumption constraints for modeling an environment, can be implemented with 
just the equivalent combinational assumption constraints aspect of the hybrid 
20 assumption representation. 

The equivalent combinational assumption constraints are formed from a 
set of gates, referred to herein as the "augmented assumption gates." The 
augmented assumption gates can be extracted by beginning at the assumption 
error output and finding a transitive fanin, where such fanin stops under either of 
25 two conditions: reaching a register output, reaching an input to the DUT/DUV. 
The transitive fanin does not stop upon reaching an output of the DUT/DUV and, 
therefore, such fanin continues until a register output, within the DUT/DUV, is 
reached. It is the fact that the transitive fanin does not stop at a DUT/DUV output 
that can cause the augmented assumption gates to contain additional gates in 
30 comparison to the assumption gates. 
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For the example of Figure 3, such transitive fanin extracts, as the 
augmented assumption gates, gates 300 and 301 . If wire 31 2 of gate 300 were 
an output of the DUT/DUV, rather than the input shown, the transitive fanin would 
continue back into the internal circuitry of the DUT/DUV until its first layer of 
registers is reached. 

The augmented assumption gates can be translated into equivalent 
combinational assumption constraints, expressed in a symbolic form, as follows: 
each gate's functionality is replaced by an appropriate logical operator; an input 
to a gate, from an output of a register within the DUT/DUV, is replaced by a state 
variable whose value is determined by the value of its corresponding register 
output; and an input to a gate, connected to an input of the DUT/DUV, is 
converted into a random variable. 

Another approach can be to translate the augmented assumption gates 
into a BDD by any one of several known methods. As with translation to 
symbolic form, an input to the BDD is a state variable where an input to a gate is 
connected to an output of a register within the DUT/DUV and an input to the BDD 
is an RV where an input to a gate is connected to an input of the DUT/DUV. 
Such BDD can then be input to a BDD constraint solver. If such BDD constraint 
solver seeks solutions where all of its BDD constraints are true, the BDD result of 
translating the augmented assumption gates may be input to the constraint 
solver in complemented form. 

Solving such equivalent combinational assumption constraints, in the 
course of a simulation, causes values to be assigned to their random variables 
that conform with the time-sequence-dependent rules of the input sequential 
assumption constraints (such as the example OVA rule shown above). 

For the example of Figure 3, the equivalent combinational assumption 
constraint solved is as follows: 

313&&314&& (Igrant) ==0 

For the above-listed constraint, 313 and 314 are state variables (or SV's), 
whose values are given by the simulation, while "grant" is the random variable (or 
RV) for which a combinational constraint solver finds acceptable values. 
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In Figure 8, a second step for simulation verification is depicted by a 
Gate-Level Extractor process (830) that produces equivalent combinational 
assumption constraints (831) and a gate-level representation (832) for 
simulation. 

2. Conversion With Deadend Avoidance 

For certain sets of sequential assumption constraints, the equivalent 
combinational assumption constraints determined for them, as described above, 
are not sufficient to insure the random variables are always assigned with values 
that conform with the time-sequence-dependent nature of the sequential 
assumption constraints. A state of the environment, in which at least one of the 
input assumption constraints that model the environment is violated, is referred to 
herein as a "deadend" state. 

The following is an example of such a sequential assumption constraint 
set written in OVA: 

If (x==1)then (#2y==1); 
If (z==1)then (#1 y==0); 

A second example verification system, having example connections 
between an environment operating according to the just-above OVA constraint 
set and a DUT/DUV, is shown in Figure 5. Example Verilog, that can be 
generated for each of the above rules by OVA Compiler, is as follows: 

I* Verilog for If (x==1 ) then (#2 y==1 ); 7 

assign err = pre_pre_x && !y; 

always @(posedge elk or posedge reset) begin 

lf(reset) begin 

pre_x <= 0; 
pre_pre_x <= 0; 

end 
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else begin 

pre_x <= x; 
pre_pre_x <= pre_x; 

end 

end 

/* Verilog for If (z==1 ) then (#1 y==0); */ 

assign err = pre_z && y; 

always @(posedge elk or posedge reset) begin 

lf(reset) begin 

pre_z <= 0; 

end 

else begin 

pre_z <= z; 

end 

end 

An example gate-level assumption representation, that can be generated 
for the above Verilog from Design Compiler, is depicted in dashed outline in 
Figure 6. The gate-level assumption representation is shown connected to the 
second example verification system of Figure 5 as it would be if such gate-level 
assumption representation were being used as an assertion monitor of the 
environment. An equivalent combinational assumption constraint, extracted from 
the example gate-level assumption representation, is as follows: 
(!y&&610) || ( y && 620 ) == 0 

Since, for this example, "x," "y," and "z" are all outputs of the environment, 
all of these variables become RV's for the constraint solver, but only "y" appears 
in the equivalent combinational assumption constraint. Therefore, there is no 
constraint in the equivalent combinational assumption constraint set preventing 
RV "z" from being assigned a value of Logic One, by the constraint solver, one 
cycle after RV "x" is assigned a Logic One value. Such time-ordered assignment 
of values to "x" and "z" results, however, in an insolvable conflict situation where, 
for either value of "y," the equivalent combinational assumption constraint is 
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violated. Such a state, in which at least one equivalent combinational 
assumption constraint is violated, is referred to herein as a "deadend" state. 

Presented herein is a method for identifying deadend states and for 
augmenting the equivalent combinational assumption constraint set such that 
5 transitions into deadend states are avoided (see Figure 7B, which is an 

expansion of step 704 of Figure 7A). Within the overall verification process of 
Figure 8, such process for augmenting the equivalent combinational assumption 
constraint set is performed by the Gate-Level Extractor process (830). 

2.1 Fail Function 

10 A "fail function" F(s,x) is determined, from the assumption gates, where s 

is a state of the assumption pipeline and x is the set of all inputs to the gate-level 
assumption representation (see step 710 of Figure 7B). F(s,x) returns a Logic 
One if and only if the input s and x would produce an invalid transition. For the 
second example verification system of Figure 6, s is 610, 61 1 and 620, while Jc 

15 is "x," "y" and "z." The fail function for Figure 6 is comprised of gates 600, 601 
and 630 and can be represented symbolically as follows: 

F(s,x) = ( !y && 610 ) || ( y && 620 ) 

20 Since the assumptions for a DUT/DUV can be complex, in terms of the 

number of state bits and/or inputs, it can be desirable to express F(s,x) in a 
compact representation, such as a binary decision diagram (BDD). 

2.2 Deadend States Set 

Using mathematical set notation, the set of deadend states, D 0 , can be 

25 expressed in terms of F(s,x) as follows (see step 71 1 of Figure 7B): 
D 0 ={s| V.F(s,x)=l} 
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Thus, deadend states are those states that, for all possible input 
combinations, have no legal transitions. Since x is universally quantified out of 
F(s,x) , D 0 is solely in terms of s . Therefore, D 0 (s) returns Logic One only 
when given a deadend state as an argument. In terms of pseudo-code, that 
5 processes BDDs, the determination of D 0 can be expressed as follows: 

D = BDD_FORALL( ajnputs, F(a_states, ajnputs) ) 

Where "BDD_FORALL" is a two-argument function that performs universal 
10 quantification, "ajnputs" corresponds to Jc, "a_states" corresponds to s and 
F(a_states,a_inputs) corresponds to F(s,x) . BDD_FORALL universally 

quantifies, from the function F(a_states, ajnputs), the set of inputs specified by 
ajnputs. 

2.3 Augmented Deadend States Set 

15 This section discusses production of an augmented deadend states set 

(see step 713 of Figure 7B). If the DUT/DUV has a signal that drives the 
environment ("yes" path of decision point 712 of Figure 7B), and is therefore not 
under the environment's control, it may be desirable to determine a strongly 
augmented deadend states set (see step 714 of Figure 7B). Determination of 

20 such strongly augmented deadend states set is covered below in Section 3. As 
can be seen from Figure 7B, regardless of whether an augmented or strongly 
augmented deadend states set is determined, the remaining steps for deadend 
state avoidance (see steps 715-718 of Figure 7B) are the same. 

Augmenting D 0 means adding to it all those states that, while having at 

25 least one valid transition, lead inexorably to a deadend state. This set, referred 
to as D(s) , can be determined as a stepwise, backward, fixed-point 
determination. In mathematical set notation, the fixed-point determination can be 
expressed as follows: 
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D Jt+1 (s)=D,(s)u{§ | V.3 § ,N(s,x,^)=l&&(D,(s)|^,) = l} 



Where N(s,x,s') is a characteristic function, of a state transition relation, 
that is defined to return Logic One when, for a particular assumption 
5 environment, a present state of s and an input of x leads to a next state of V . 
As can be seen above, the right-hand-side expression to the union operator 
provides a state s for extending D A (s) if, for all inputs x , there exists a state s' , 

where s' is a member of D^(s) , such that s , x and s' are a valid transition. 

N(s,x,5*) can be formed as follows from a particular gate-level 

10 assumption representation. For each register bit of s' , the logic gate network of 
its transitive fanin, terminating at a register bit-line of s or an input bit-line of x , is 
determined. The logic network is converted into an equivalent Boolean logic 
expression that is then equated with the register bit of s' . For all bits in s' , the 
equations are ANDed together to form N(s, \,s ') . For the second example 

1 5 verification system of Figure 6, N(s, x,s ') can be expressed symbolically as 
follows: 

N(s,x,f •) = 

610' ==611 && 
20 611'=="x"&& 
620" == "z" 

In terms of pseudo-code that processes a BDD representation of D 0 and 
N(s,x,f '), the backward fixed-point determination can be expressed as follows: 

25 

Dprev = 0; 

while (D != D pre v) { 

Dprev = Dl 

TMP = INEVITABLE(D) 
30 D = BDD_OR(TMP, D); 

} 
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INEVITABLE( D(a_states) ) = 
BDD_FORALL(a_inputs, 

BDD_EXIST(a_nstates, 
5 BDD_AND( N(a_states,a_inputs,a_nstates), 

BDD_SUBSTITUTE(a_states, 
a_nstates, D(a_states) ) 

) 

) 

10 ) 

The above "while" loop begins with D set to D 0 and iterates as long as a 

value for Dp rev (i.e., a D^_,(s) ) is not equal to a value for D (i.e., aD t (s) ). The 

states representing a next step backwards, from a D k (s) , are returned in BDD 

15 form by an "INEVITABLE" procedure and assigned to a variable "TMP." The 
procedure "BDD_OR" then performs the union of the sets of "TMP" and "D" to 
produce D ft+1 (s). 

The "INEVITABLE" procedure is a pseudo-code version of the 
above-discussed right-hand-side expression to the union operator. The 

20 "INEVITABLE" procedure uses a BDD expression "N" for N(s,x,f ') , where "N" 
has been determined for the assumptions currently being processed. For "N," 
a_states corresponds to s , a_inputs corresponds to x and a_nstates 
corresponds to s 1 . 

While BDD FORALL has been discussed above, the pseudo-code 

25 procedures BDD EXIST, BDD AND and BDD SUBSTITUTE operate as follows. 
BDD_EXIST existentially quantifies, from the BDD of its second argument, the 
variables (in this case a_nstates) of its first argument. BDD_AND returns a BDD 
that is the AND (or intersection) of the sets represented by each of its BDD 
arguments. BDD_SUBSTITUTE performs the following variable-name 

30 substitution in the BDD of its third argument: variables in the BDD specified by 
the first argument are replaced by the corresponding variables of the second 
argument. 
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2.4 Reachable States Set 

While the above procedure results in a set D containing all states that are 
either deadend states, or that lead inevitably to deadend states, some of the 
states in D may not be reachable from the initial states of the environment. With 
R 0 (s) defined as the set of initial states of the environment, we define a set 
R^ +1 (s) to be the set of all states reachable in one transition from R k (s) and 
R(s) to be the set of all states reachable from R 0 (s) . R 0 (s) is defined as the set 

of initial states of the environment monitor, that can be, for example, the state in 
which all registers of the monitor contain zero. 

R(s) can be determined as a stepwise, forward, fixed-point determination. 
In mathematical set notation, this fixed-point determination can be expressed as 
follows (see step 715 of Figure 7B): 

R. + .(s)=R A (s)u{s|(3„3 g N(s,x,^)==l&&R,(s)==l)| § ,^} 

As can be seen above, the right-hand-side expression to the union 
operator provides a state s for extending R k (s) if there exists an input x and a 

state s , where s is a member of R^(s) , such that s , x and §' are a valid 

transition. In terms of pseudo-code that processes BDDs, the forward fixed-point 
determination can be expressed as follows: 

Rprev = 0; 

while (R != R prev ) { 

Rprev = Rl 

TMP = REACHABLE(R) 
R = BDD_OR(TMP, R); 

} 

REACHABLE ( R(a_states) ) = 
BDD_SUBSTITUTE(a_nstates, a_states, 
BDD_EXIST(a_inputs, 

BDD_EXIST(a_states, 

BDD_AND( R(a_states), 
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N(a_states,a_inputs,a_nstates) 

) 

) 

) 

) 

The above "while" loop begins with R set to R 0 and iterates as long as a 
value for R pr ev (i.e., a R A _,(s) ) is not equal to a value for R (i.e., a R A (s) ). The 
states representing a next step forward, from aR t (s), are returned in BDD form 
by a "REACHABLE" procedure and assigned to a variable "TMP." The 
procedure "BDD_OR" then performs the union of the sets of "TMP" and "R" to 
produce R* +1 (s). 

The "REACHABLE" procedure is a pseudo-code version of the 
above-discussed right-hand-side expression to the union operator. 

2.5 Reachable Deadend States Set 

The set of reachable deadend states, referred to as RD(s) , is the 

intersection of the sets R(s) and D(s) (see step 716 of Figure 7B). In pseudo- 
code, this can be expressed as follows: 

RD = BDD_AND(R, D) 

Reducing D(s) to RD(s) is an efficiency technique, and use of D(s) in 
the below steps will still result in functionally correct results. 

2.6 Fail Function Augmented For Deadend Avoidance 

An augmented fail function "F" with deadend avoidance, referred to as F da , 

can be determined from the above determined relation N^x,.?') and set RD(s) 

(see step 717 of Figure 7B). In mathematical set notation, determination of F da 
can be described as follows: 
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F da (s,x)=3 § ,(N(s,x,5 , )==l&&(RD(s)| g _ >g ,) = l) 

F da (s,x) contains the set of present state and input pairs such that there 
exists a next state, but the next state is either a deadend state or leads 
5 inexorably to a deadend state. In terms of pseudo-code processing BDDs, 
determination of F da (s,x) can be expressed as follows: 



F_WITH_DA ( RD(a_states) ) = 

10 BDD_EXISTS(a_nstates, 

BDD_AND( N(a_states, a_inputs, a_nstates), 
BDD_SUBSTITUTE(a_states,a_nstates, 
RD(a_states) ) 

) 

15 ) 



2.7 Augmented Equivalent Combinational Assumption 
Constraints 

F da (s,x) can be used to form the following constraint, that augments the 
20 equivalent combinational assumption constraints (see step 718 of Figure 7B): 

F da (s,x) ==0 



For the second example verification system of Figure 6, the augmented 
25 equivalent combinational assumption constraint set can be expressed as follows: 



(( !y &&610)||(y&& 620 )) == 0 

F^s,*) ==0 



30 Depending upon the constraint solver, an alternate format, for the 

augmented equivalent combinational assumption constraints, is to find solutions 
where all of the following expressions return a value of Logic One: 
!( ( !y && x2 ) || ( y && z1 ) ) 
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!F da (s,x) 

Expressed in terms of pseudo-code, that returns a BDD for a constraint 
solver, the constraint can be determined as follows: 

5 BDD_NOT(F_WITH_DA (RD) ) 

Where "BDD_NOT" returns a BDD that is the inverse of its BDD argument. 

3. Conversion With Strong Deadend Avoidance 

The above method for deadend avoidance is sufficient if, as shown in the 
10 example of Figure 6, the environment receives no inputs from the DUT/DUV. 
However, if the environment is subject to variables not under its control, stronger 
deadend avoidance constraints may be needed. 

In this case, the deadend avoidance method of above can have its 
augmented deadend states set determined as follows: 

15 

D, +1 (s)=D,(s)u 

< § I 3 xout V xin 3 s tN ^ XOut ' xin ' i ^ =1&& ( D ^ § )l^) = 1 } 

Where N(s, xout, xin,.?') differs from N(s,x, 1 s') by splitting the x into two 
parts: "xout," which are outputs of the DUT/DUV; and "xin" which are inputs to the 
20 DUT/DUV. The distinction is significant since the "xin" signals are under direct 
control of the environment while the "xout" signals are not. The above equation 
is stating that even if there is only one combination of "xout" signals that would 
cause a transition to a state already a member of a D k (s), the s should be 
included in D A+1 (s). 

25 A potential problem with strong deadend avoidance, however, is that 

testing of the design can become limited such that some design flaws may no 
longer be detectable. 
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For example, consider the case where "z" of Figure 6 is an output of the 
DUT/DUV and an input to the environment. In this case, no constraint can be 
added, to the equivalent combinational assumption constraint set, that would 
prevent the "z" from being set to a Logic One value one cycle after the "x" is set 
to a Logic One value. 

4. Symbolic Example of Deadend State Avoidance 

This section symbolically simulates operation of the above steps of 
Section 2 ("Conversion With Deadend Avoidance") upon the example of Figure 6. 

As discussed above, for the example of Figure 6, s is 610, 61 1 and 620, 
while x is "x," "y" and "z." For purposes of a symbolic example, 610, 611 and 
620 are given the following alternative names: x2, x1 and z1. 

Symbolically, existential and universal quantification are accomplished as 
follows. The expression, from which a variable to be quantified, is converted into 
two forms: one form in which a value of Logic One is substituted for the 
quantified variable and another in which a value of Logic Zero is substituted. 
Then, for existential quantification, the logical OR of the two forms is created 
while, for universal quantification, the logical AND is performed. 

4.1 Fail Function 

The "fail function" F(s,x) was already determined above and, with the new 

variable names for 610 and 620, it can be expressed as follows: 
F(s,x) =(!y&&x2)||(y&&z1 ) 

4.2 Deadend States Set 

The set of deadend states, D 0 , can be expressed in terms of F(s,x) as 

follows: 

D 0 ={s| V^F(s,x)=l} 
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D Q ={S | V x V y V z (!y&&x2)||(y&&zl)} 

D 0 = {S | V x V y (!y&&x2)||(y&&zl)} 

D 0 = { § I V x (x2&&zl )} 
D 0 = {S | (x2&&zl )} 

5 

4.3 Augmented Deadend States Set 

Next, D(s) can be determined as a stepwise, backward, fixed-point 

determination from D 0 using the following formula: 

10 D, +1 (s)=D,(s)u{s | V.3 §( N(s,x,5 , )==l&&(D,(s)|^ § ,) = l} 

N(s,x,5') was already determined above for Figure 6 and, expressed in 
terms of the new names for 610, 61 1 and 620, it can be expressed as follows: 



15 



20 



N(s, x,s<) = (x2' == x1 ) && (x1 ' == x) && (z1 ' == z) 
The determination of D, can be expressed as follows: 

D,=D 0 u{s | V.3 § ,N(s,x,i«)=l&&(D 0 | § _ >gl ) = l} 

Dj=(x2 &&zl )U 

{§ | V x V y V z B xl ,3 x2 3 zl , 

((x2' = xl) && (xf == x) && (zf == z)) 

«fe&((x2 &&zl)L -.)} 
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D,=(x2 &&zl )U 
{s | V x V y V z 3 xl ,3 x2 ,3 zl , 
((x2' == xl) && (xl' = x) && (zl' == z)) 
&&(x2' &&zl')}. 

D,=(x2 &&zl )U 
{s | V x V y V z 3 xl ,3 x2 , 
((x2' = xl) && (xl' = x) && z)&&x2'} 

D,=(x2&&zl )U 

{s | V x V y V z 3 xl ,(xl &&(xl'==x)&&z)} 

D,=(x2&&zl)U 
{s | V x V y V z (xl&&z)} 

D,=(x2&&zl)u{s | V x V y (0)} y 

D,=(x2&&zl )kj{s |0} 
Since a fixed point has been reached, D(f) has been found to be 

(x2&&zl ). 

15 4.4 Reachable States Set 

With R 0 (s) defined as the set of initial states of the environment monitor, 

for purposes of this example, the initial state can be defined as all registers 
containing zero and therefore can be expressed symbolically as: 

20 R 0 (S)=!a:1&&!x2&&!z1 



10 
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R(s) can be determined as a stepwise, forward, fixed-point determination 
with the following formula: 

R, +1 (s)=R,(s)u{s|(3.3 § N(s,x,^)==l&&R A (s)==l)|,_, § } 

5 

The determination of R, can be expressed as follows: 

R,=R 0 u{ s | (3.3 § N(s,x^ A, )==l A&RqW 

R,=( \xl&&\x2&&\z\)\J 
io {s | (3 x 3 y 3 z 3 xl 3 x2 3 2l 

(x2* == xi) && (xr = x) && (zr == z) 

&&( !*l&&!x2&&!zl))| g _ >gl } 

R,=( \x\&&\x2&&lzl)yj 
{§ | (3 x 3 y 3 z 3 xl 3 x2 

(x2' = xi) && (xr — x) && (zr — z) 

&&( !xl&&!x2))| § ^ § ,} 

R,=( \x\&&\x2&&\zl)U 
{s | (3 x 3 y 3 z 3 xl 

(x2' = xi) && (xr == x) && (zr = z) 

&&!*! 

15 

R,=( !*1&&!;c2&&!z1)U 
{§ I (3 x 3 y 3 z 

!x2' && (xl' = x) && (zr = z) )| .^g. } 

R,=( Ul&&!x2&&!zl)U 

{s | (3 x 3 y !x2'&&(xr = x))|g_ § .} 
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R,=( !xl&&!x2&&!zl )U 

{S | (3 x !x2'&&(xl» = x))| § _^} 

R,=( !xl&&!x2&&!zl)u{s | (!x2')| g _^} 
5 R,=( !xl&&!x2&&!zl)U!x2 

R,=!x2 

Since a fixed point has not been reached, the determination of R 2 
10 can be expressed as follows: 



15 



20 



R 2 =R,u{ s | (3 x 3 g N(s,x,s *)= 1 &&R, )| g ,_ >§ } 
R 2 =(!a;2)U 

{s I (3 x 3 y 3 z 3 x ,3 x2 3 zl 

(x2' = xl) && (xl' = x) && (zl' == z) 
&&(!*2))|^ § .} 

R 2 =(!*2)U 

{s I (3 x 3 y 3 z 3 xl 3 x2 

(x2' = xl) && (xl' = x) && (zl' == z) 
&&(!*2))| g ^.} 

R 2 =(!a:2)U 
{§ | (3 x 3 y 3 z 3 xl 

(x2' = xl) && (xl' = x) && (zl' = z))| ^g, } 
R 2 =(!*2)U 

{s | (3 x 3 y 3 z (xl' = x)&&(zl'==z))| g ^.} 
R 2 = (!x2)U 

{S|(3 x 3 y (xl' = x))|^,} 
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R 2 =(!x2)u 

{s|(3 x (xr = x))|^,} 
R 2 =(!*2)u{s | (TRUE)\^,} 
5 R 2 =(\x2)uTRUE 
R 2 =TRUE 

We have reached a fixed point indicating that all states of the environment 
1 0 monitor are reachable in two steps. 

4.5 Reachable Deadend States Set 

The set of reachable deadend states, referred to as RD(s) , is the 

intersection of the sets R(s) and D(f) . This can be determined symbolically as 
follows: 

15 RD(s) = TRUE &&x2&&zl=x2&&zl 

4.6 Fail Function Augmented For Deadend Avoidance 

The augmented fail function F da can be determined from the above 

determined sets N(s,x,f ') and RD(s). In mathematical set notation, 
20 determination of F da can be described as follows: 

F da (s,x)=3 §t (N(s,x,5')== 1 &&(RD(s)| § _^,)== 1 ) 

F-(s,x)=3 xl ,3 x2 3 2l ,( 

((x2' == xl) && (xl' = x) && (zl' = z)) 

&&((x2&&zl)| g ^.,) ) 

25 

F*(s,x)=3 xl ,3 x2 ,3 zl ,( 

((x2' == xl) && (xl' = x) && (zl' = z)) 
&&(x2 , &&zl') ) 
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F da (s,x)=B „3 

7 xl x2 v 

((x2' == xl) && (xl' = x) && z)) 
&&x2' ) 

F da (s,X)=3 xl ,(xl &&(xl'==x)&&z) 

5 

F da (s,x)=(xl &&z) 

4.7 Augmented Equivalent Combinational Assumption 
Constraints 

F da (s,x) can be used to form a constraint, that creates the following 
10 augmented equivalent combinational assumption constraints: 

( ( !y && x2 ) || ( y && z1 ) ) == 0 
(xl &&z) ==0 

Alternatively, the augmented equivalent combinational assumption 
1 5 constraints can be expressed as follows, where RV values must be found such 
that all the expressions evaluate to Logic One: 

!( ( !y && x2 ) || ( y && z1 ) ) 
!(xl &&z) 

20 As can be seen, the additional constraint does solve the conflict problem 

since, if "x1" is Logic One, "z" must be assigned the value zero. 

5. Symbolic Example of Strong Deadend State 
Avoidance 

25 This section symbolically simulates operation of the above steps of 

Section 3 ("Conversion With Strong Deadend Avoidance") upon the example of 
Figure 6. As discussed above, the difference from non-strong deadend 
avoidance is in the backward, fixed point, determination of deadend states. 
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For this example, we consider "z" to be a DUT/DUV output that is 
therefore not controllable by the environment but, in all other respects, the 
example is the same as that of Figure 6. As discussed above, the determination 
of D(s) can be accomplished by the following formula: 

D 4+1 (S)=D 4 (s)u 

< 8 I \out V xin 3 s' N ^ xout ' xin ' i > =1&& ( D ^ § )l-r)== 1 } 
Determination of D,(s) from D 0 (s) is as follows: 
D 1= D 0 u 

< § I 3 xout V xin 3 §( N(s,xout,xin,i')==l&&(D 0 | § ^,)==l} 

D,=(x2 &&zl )U 

{s | 3 z V x V y 3 x2 ,3 xl ,3 2l , 

((x2' == xi) && (xr = x) && ( Z r = z» 

&&((x2&&zl)| | _ r )} 

D,=(x2 &&zl )U 

{s | 3 z V x V y 3 x2 3 x ,,3 2l . 

((x2' == xl ) && (xl ' == x) && (zl' = z)) 

&&(x2'&&zl')} 

Since the above equation for D^s) is identical to that which was solved in 
Section 4.3 ("Augmented Deadend States Set"), except that "z" is existentially 
quantified rather than universally quantified, the determination of D,(s) 

continues below at the point where x1\ x2' and z1 ' have been existentially 
quantified: 
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D,=(x2 &&zl )U 

{s | 3 z V x V y (xl &&z)} 

Dj=(x2 &&zl )U 
{s | 3 z V x (xl &&z)} 

D,=(x2 &&zl )U 
{§ | 3 z (xl &&z)} 

D,=(x2 &&zl )U 
{§ | xl} 

D,=(x2 &&zl )||xl 

Since a fixed point has not been reached in determining Dj(s) , D 2 (s) is 
determined as follows: 

D 2 =D,u 

( § I 3 xout V xin 3 §I N(s,xout,xin,5 , )==l&&(D 1 |^,)==l} 

D 2 =(( x2 &&zl )||xl) u 

{§ | 3 z V x V y 3 x2 ,3 xl 3 zl , 

«x2' == xl) && (xl' == x) && (zl'= z)) 

&&(((x2&&zl)||xl)L )} 
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D 2 =(( x2 &&zl )||xl) U 

{s | 3 z V x V y 3 x2 3 xl 3 zl , 

((x2' = xl) && (xl' = x) && (zl' == z)) 

&& (( x2* &&zl')|| xl*) } 

D 2 =((x2 &&zl )||xl)U 
{s | 3 z V x V y 3 x2 ,3 xl , 
(x2' = xl) && (xl' = x) && 
((!z&&xlO || (z && X2 1 ) || (z && xl')) } 

D 2 =((x2 «&&zl )||xl) U 

{§ | 3 z V x V y 3 x2 ,(x2 , = xl)&& 

(XHIX&&Z&&X2 1 ) } 

D 2 =((x2 &&zl )||xl) U 

{s | 3 z V x V y (xl &&x)|| (xl&&!x && z) || (!xl&&x) } 
D 2 =((x2 &&zl )||xl) KJ 

{s | 3 Z V X (xl &&x)||(xl&«&!x &&z) || (!xl&&x) } 

D 2 =((x2&«&zl )||xl) U{s | 3 Z FALSE } 

D 2 =((x2 &&zl )||xl) 

Since D 2 (s) equals Dj(s) , a fixed point has been reached. Therefore, 
D(s) equals Dj(s) . Since all states of the environment monitor are reachable 
from the initial state, RD(s) equals D(s). 
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The augmented fail function F da can be determined from the above 
determined sets N(s,x 5 f') and RD(s). In mathematical set notation, 
determination of F da can be described as follows: 



F da (s J x)=3 § ,(N(s,x,^)=l &&(RD(s)| § _ >§ ,)=1 ) 



F*(s,x)=3 x2 ,3 xl 3 zl ,( 

((x2- == xi) && (xr = x) && ( Z r == Z )) 

&&(((x2&&zl)||xl)|^ § ,) ) 

F-(s,x)=3 x2 ,B xl 3 zr ( 

((x2- == xi) && (xr = x) && (zr = z)) 

&&((x2 , &&zl , )||xr) ) 



It can be observed that the equation just-above is the same as one which 
was solved in this Section 5 while determining D 2 (s), except that in the 

determination of D 2 (s) there was also universal quantification. Using the result 

determined above for D 2 (s) , up to the point where universal quantification was 

15 performed, leads to the following result for F da (s,x) : 

F da (s,x)=((xl &&x)||(xl&&!x &&z) || (!xl&&x)) 

F da (s,x)=(x||(xl && !x && z)) 

20 F da (s,x) can be used to form a constraint, that creates the following 

augmented equivalent combinational assumption constraints: 

( !y && x2 ) || ( y && z1 ) == 0 
(x||(xl &&!x&&z)) ==0 
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Depending upon the constraint solver, an alternate format, for the 
augmented equivalent combinational assumption constraints, is to find solutions 
where all of the following expressions return a value of Logic One: 
!((!y &&x2)||(y&&z1 )) 
5 !(x||(xl &&!x&&z)) 

The expression !(x|| (xl && !x && z)) can be re-written as 

(!x&&(!xl || x || !z)) that can be simplified to (!x&&(!xl || !z)). The only RV, 

of (!x&&(!xl || !z)), is "x," and finding a Logic One value for the expression 

requires always assigning a value of zero to "x." 

1 0 Since strong deadend avoidance assumes no knowledge of the DUT/DUV 

output (meaning any value is possible), the result of applying such strong 
deadend avoidance (for the above example) is input "x" being constrained to a 
constant value of Logic Zero. This may lead, however, to avoiding the detection 
of design errors since, for example, there may be certain design errors that can 

1 5 only be discovered if "x" is set to a Logic One. 

Knowledge of DUT/DUV structure can be used in formulating deadend 
avoidance constraints, but such avoidance can also lead to design errors not 
being detected. For example, assume in the previous example, that if the 
DUT/DUV is operating correctly, its "z" output is a Logic Zero in response to "x" 

20 being a Logic One. Assume, however, that the DUT/DUV contains a design error 
that causes "z" to be Logic One in response to "x" being Logic One. A deadend 
avoidance algorithm, incorporating such erroneous DUT/DUV design knowledge, 
would produce a constraint fixing "x" to a Logic Zero and the erroneous operation 
of the "z" output would never be stimulated to occur. 

25 As an alternative to the DUT/DUV structure itself, a reference specification 

for the DUT/DUV (also known as a golden reference) can be used to predict its 
behavior. A problem with the use of such a reference specification is that it may 
not be available or may not be in a form suitable for deadend avoidance analysis. 
Assertions can be used as a partial reference specification to reduce, relative to 

30 strong deadend avoidance, the likelihood of design errors not being detected. 
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6. HARDWARE ENVIRONMENT 

The sequential constraint solving architecture of the present invention can 
be executed within a computing environment (or data processing system) such 
as that of Figure 9. Figure 9 depicts a workstation computer 1600 comprising a 
5 Central Processing Unit (CPU) 1601 (or other appropriate processor or 

processors) and a memory 1602. Memory 1602 has a portion of its memory 
1603 in which are stored the software tools (or computer programs) and data of 
the present invention. While memory 1603 is depicted as a single region, those 
of ordinary skill in the art will appreciate that, in fact, such software and data may 

10 be distributed over several memory regions or several computers. Furthermore, 
depending upon the computer's memory organization (such as virtual memory), 
memory 1602 may comprise several types of memory (including cache, random 
access memory, hard disk and networked file server). Computer 1600 can be 
equipped with a display monitor 1605, a mouse pointing device 1604 and a 

1 5 keyboard 1606 to provide interactivity between the software of the present 

invention and the chip designer. Computer 1600 also includes a way of reading 
computer readable instructions from a computer readable medium 1607, via a 
medium reader 1608, into the memory 1602. Computer 1600 also includes a 
way of reading computer readable instructions via the Internet (or other network) 

20 through network interface 1609. 

In one embodiment, the processes for solving sequential constraints can 
be implemented within software produced by Synopsys, Inc., of Mountain View, 
California, USA. An example of such Synopsys software is Magellan. Magellan 
verifies a high-level specification of a circuit design, that has typically been 

25 specified in Verilog or VHDL. Magellan provides two main types of verification 
techniques: simulation (using the VCS HDL Simulator for a Verilog DUT/DUV or 
the Scirocco simulator for a VHDL DUT/DUV) or formal property verification. 

In some embodiments, computer programs embodying the present 
invention are stored in a computer readable medium, e.g. CD-ROM or DVD. In 

30 other embodiments, the computer programs are embodied in an electromagnetic 



Page 46 of 53 



Express Mail Number EU893-957-371US 

E. Cerny et al. 

carrier wave. For example, the electromagnetic carrier wave may include the 
programs being accessed over a network. 

While the invention has been described in conjunction with specific 
5 embodiments, it is evident that many alternatives, modifications and variations 
will be apparent to those skilled in the art in light of the foregoing description. 
Accordingly, it is intended to embrace all such alternatives, modifications and 
variations as fall within the spirit and scope of the appended claims and 
equivalents. 
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